Data Processing Agreement
Last updated: March 30, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer") and N&P Soft, operating as TrackNCloak ("Processor", "Company", "we", "us") for the processing of personal data in connection with the Service provided at trackncloak.com.
This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as processed through the Service on behalf of the Controller.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Data Subjects" means the individuals whose Personal Data is processed through the Service (typically the Controller's website visitors and ad campaign audiences).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Roles
2.1 Controller
You (the Customer) are the Controller of Personal Data processed through the Service. You determine the purposes and means of processing. You are responsible for:
- Ensuring a lawful basis for processing (consent, legitimate interest, etc.);
- Providing appropriate privacy notices to Data Subjects;
- Responding to Data Subject rights requests;
- Complying with all applicable data protection laws.
2.2 Processor
N&P Soft (operating as TrackNCloak) is the Processor. We process Personal Data only on your documented instructions and solely for the purpose of providing the Service. We do not process Personal Data for our own purposes beyond what is necessary to deliver and maintain the Service.
3. Categories of Data Processed
The Personal Data processed through the Service may include, depending on how you configure your campaigns:
- IP addresses of visitors;
- User agent strings (browser type, operating system, device information);
- Geo-location data derived from IP addresses (country, region, city);
- Referrer URLs and landing page URLs;
- Click timestamps and conversion events;
- Unique visitor identifiers (cookies, click IDs);
- Any custom parameters passed through tracking URLs by the Controller.
We do not require or encourage the collection of special categories of data (racial or ethnic origin, health data, etc.) through the Service.
4. Processor Obligations
N&P Soft (operating as TrackNCloak) shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case, we will inform the Controller of that legal requirement before processing, unless prohibited by law);
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality;
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments;
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, and objection) insofar as this is possible;
- Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities;
- At the choice of the Controller, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by applicable law;
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.
5. Sub-processors
5.1 Authorized Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors. The current list of Sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Application hosting and infrastructure | Germany / Singapore |
| Neon Inc. | PostgreSQL database hosting | United States |
| Razorpay Software Pvt. Ltd. | Payment processing | India |
| Brevo (Sendinblue) | Transactional email delivery | France |
| Cloudflare, Inc. | DNS, CDN, and DDoS protection | United States |
5.2 Changes to Sub-processors
We will notify the Controller at least 15 days before engaging a new Sub-processor or replacing an existing one by updating this page and sending an email notification. The Controller may object to a new Sub-processor within 15 days of notification. If the Controller objects on reasonable grounds related to data protection and we cannot accommodate the objection, the Controller may terminate the Service.
5.3 Sub-processor Obligations
We impose contractual obligations on each Sub-processor that are no less protective than those in this DPA. We remain liable for the acts and omissions of our Sub-processors to the same extent as if we were performing the processing directly.
6. Data Breach Notification
- We will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.
- The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
- We will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
- Notification of a breach shall not be construed as an acknowledgment of fault or liability.
7. Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure that appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission;
- The UK International Data Transfer Addendum where applicable;
- Adequacy decisions by the European Commission where available;
- Supplementary measures where required by the Schrems II decision.
8. Data Deletion and Return
Upon termination of the Service or upon the Controller's written request:
- We will delete all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.
- Upon request prior to deletion, we will provide the Controller with a copy of the Personal Data in a commonly used, machine-readable format (CSV or JSON).
- We will certify deletion in writing upon the Controller's request.
9. Audits
The Controller may conduct audits (directly or through a mandated third-party auditor bound by confidentiality) to verify compliance with this DPA, subject to the following conditions:
- Reasonable advance notice of at least 30 days;
- Audits conducted during normal business hours;
- Scope limited to processing activities relevant to the Controller;
- No more than one audit per 12-month period unless required by a supervisory authority;
- The Controller bears the costs of the audit.
As an alternative, we may provide relevant audit reports, SOC 2 certifications, or other evidence of compliance upon request.
10. Duration and Termination
This DPA takes effect when you start using the Service and remains in force for as long as we process Personal Data on your behalf. The obligations regarding confidentiality and data deletion survive termination.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
12. Contact
For questions about this DPA or to exercise rights under it, contact us at help@trackncloak.com.